Comment by cryptonector
4 days ago
You're not accurately representing DJB's concern.
His concern is that NSA will get vendors to ship code that will prefer ML-KEM, which, not being a hybrid of ECC and PQC, will be highly vulnerable should ML-KEM turn out to be weak, and then there's the concern that it might be backdoored -- that this is a Dual_EC redux.
I understand his concern perfectly. What I am saying is that his concern is not mitigated at all by the presence or absence of an IETF standard.
This is going to happen anyway (non hybrid) at least inside USG because that's what NSA want.